Recommended VPC setup for EKS

[ritesh]

In the tutorial we recommend that folks use private subnets for worker nodes and public subnets for provisioning public facing load balancers. The sample script we provide to provision a VPC creates only public subnets. This seems inconsistent. Can we provide a sample CFn template that creates public & private subnets instead? Happy to provide a PR for that template, but I'm not sure how.

[willingham]

@ritesh I noticed the same thing, however, I'm unaware of a way to tell EKS the difference in the subnets for proper scheduling. Are you?

[jonjozwiak]

I created a PR to clarify steps if deploying workers in a private subnet. Ideally the getting started guide would have a CFN template versus having to manually setup the private subnets. I'm also happy to write this, but don't have access to upload to the s3 bucket referenced.

@willingham You don't need to tell EKS the subnets for scheduling pods if all nodes are in private subnets. If you are running a mix of node groups in both public and private subnets you can use nodeSelectors in kubernetes as documented here. For load balancer scheduling it will deploy to public subnets by default. To deploy internal load balancers you need to tag your private subnets as documented in create-private-public-vpc.md and add an annotation for your service as shown in load-balancing.md.

[nrdlngr]

The service team added a sample CloudFormation template for creating a VPC with public and private subnets. I've added instructions to use this template or the standard public-only template to our user guide. Thanks for your suggestion!